If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.

It's that bad. The headline grabbing line that many news sites have run with is the unchangeable WEP encryption key used on the machines was "abcde." Meaning it was crazy easy for people to hack into (even if you didn't know the password originally, it would not be difficult to figure that out just by monitoring the system). But that's just the start. Other massive problems, explained by Epstein:

The system hasn’t been patched since 2004 (which we knew). What we didn’t know is that the system is running a whole bunch of open ports with active services. The report specifically notes that ports 135/tcp, 139/tcp, 445/tcp, 3389/tcp, 6000/tcp and 16001/tcp are all running unpatched services. (Layman’s explanation: the voting machines aren’t just voting machines, they’re also servers happy to give you whatever files you ask for, and various other things, if only you ask. Think of them as an extra disk drive on the network, that just happens to hold all of the votes.) (Obdisclosure: In retrospect, I *probably* could have figured this out a few years ago when I had supervised access to a WinVote with a shell prompt, but I didn’t think of checking.)

The system has a weak set of controls – it’s easy to get to a DOS prompt (which we knew). What we didn’t know is that the administrator password seems to be hardwired to “admin”.

The database is a very obsolete version of Microsoft Access, and uses a very weak encryption key (which I knew a couple years ago, but didn’t want to disclose – the key is “shoup”, as also disclosed in the VITA report). What we didn’t know is that there are no controls on changing the database – if you copy the database to a separate machine, which is easy to do given the file services described above, edit the votes, and put it back, it’s happy as can be, and there are no controls to detect that the tampering occurred.

The USB ports and other physical connections are only marginally physically protected from tampering. What we didn’t know is that there’s no protections once you plug something into one of these ports. What this means is that someone with even a few minutes unsupervised with one of the machines could doubtless replace the software, modify results, etc. This is by far the hardest of the attacks that VITA identified, so it’s almost irrelevant given how severe the other problems are.

And, as Epstein notes, the Virginia Information Technology Agency figured all of this out on its own -- in other words, it wasn't given the source code for these machines. That means, pretty much anyone probably could have figured out the same things. Epstein makes it clear just how easy this process is:

Take your laptop to a polling place, and sit outside in the parking lot.

Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).

Connect to the voting machine over WiFi.

If asked for a password, the administrator password is “admin” (VITA provided that).

Download the Microsoft Access database using Windows Explorer.

Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.

Use Microsoft Access to add, delete, or change any of the votes in the database.

Upload the modified copy of the Microsoft Access database back to the voting machine.

Wait for the election results to be published.

As he points out, the only bits that might take some sort of technical expertise is extracting the passwords, but that's not that hard, and the kind of thing that lots of script kiddies have figured out how to do with free online tools for ages. Epstein points out that the Diebold machines that everyone mocked a decade ago were "100 times more secure" than these WinVote machines.

Richard Herrington, secretary of the Fairfax City Electoral Board, said he was unconvinced that WINVote machines were risky enough to warrant decertification.

“No matter how much time, money and effort we could put into a device or a system to make it as secure as possible, there is always the possibility that someone else would put in the time, money and effort to exploit that system,” he said.

Richard Herrington is both right and wrong. Yes, it's true that almost any system will have security vulnerabilities, but he's ridiculously, laughably wrong, in suggesting that these machines are likely secure enough. These machines don't require a sophisticated hacker (especially now that the VITA revealed all the necessary passwords). Basically anyone can change the votes however they want based on the information that has been revealed.

For years, whenever we'd point to concerns and problems with e-voting machines, people would argue that it was just conspiracy theories and that these machines were mostly "secure enough." Yet, time and time again, we've discovered that the machines weren't even the tiniest bit secure -- and this is just the most egregious example so far.

Re: Voter IDs

Re: Voter IDs

I assume you're being sarcastic? If 70% of the people voted for Republican here, someone could hack it, and make the vote 90% for Democrats instead. Voter ID or no Voter ID. This has nothing to do with WHO goes to the vote.

Re: Re: Re: Voter IDs

Re: Re: Voter IDs

I'd say it depends on the ID used. Take, for example, the DoD Common Access Card. It contains a smart card chip that has an embedded security module, and exists as a part of a PKI. Using this as a basis for an ID, you can digitally sign your vote record, which will allow the vote counter to detect the alteration when it is counted (assuming that the attacker cant break the PKI system).

Re: Voter IDs

Fraud and stolen elections are committed far, far, more often by those who count the votes then those who cast the ballots.

There's also more states then there are people who have been prosecuted for voter fraud (illegally casting votes) in the last 10 years. In a nation of over 300 million, that's a very insignificant number.

Re: These are features, not bugs

No, they're bugs. If you want to install a backdoor on a system for your buddies to use, you probably don't want to make it so insecure that any random script kiddie could use it with only a minimal amount of experimentation.

The security on these devices is so pitiful that I think the proper way to describe them is "unsecured".

Re: Re: These are features, not bugs

On the other hand, a carefully crafted backdoor makes it clear who the guilty party is. Poor security that any script kiddie could compromise widens the suspect pool and can allow the guilty party to walk away clean.

Re: Re: Re: These are features, not bugs

But it also makes it impossible to have confidence that the election-fixing you want to have happen is the election-fixing that actually happens. Someone else could come in and change your carefully changed election results.

Re: Re: Re: These are features, not bugs

''a carefully crafted backdoor makes it clear who the guilty party is. Poor security that any script kiddie could compromise widens the suspect pool and can allow the guilty party to walk away clean''

The Diebold machines at the voting precincts 'phone home' also.

HeHe 10 years ago the LA Green Party was so hard on the LA County Reg-O-voters about 12 'donated' wired-in-parallel Dell machines and the 6foot tall 'donated' Cisco 19inch rack & the Cat-5 LAN cables running out the ceiling panels that they installed a new Honorary 'John Wenger' viewing window in the counting room; ''because we let the counters watch their laptops after the polls close''.That second floor has a few hallway 'viewing windows' AND two full walls of external glass.

I say let a million 14year-olds get to work and pick the next US President!

why why why

Why are any of the stand alone voting machines connected to the net?My old Crypto Professor used to say "The only really secure connection is NO connection".Each voting station should be a stand alone box, not connected to ANYTHING. At the start of the day you load it with the polling options. At the end of the day you pull the flash drive for storage, syncing with the rest of the machines, and finally to upload the results. Secondarily every person should get a "receipt" print off of their vote as a backup.

Re: why why why

"Why are any of the stand alone voting machines connected to the net?"

An even better question is... why in the world are we using computerized voting machines at all? It's completely unnecessary and dramatically enlarges the attack surface even if they aren't connected to the net.

So if in 2016 the entire state of Virginia votes for write-in candidate and the FBI's most wanted terrorist Ahmad Abousamra for President do you think Herrington would recognize that there's a security issue here?

Virginia was a Diebold state

Digitizing is only going to be serviceable with a system that renders digital security in a physically verifying way. Pollsters are volunteers and can't be expected to understand infosec.

One method might be block chaining the votes with a interspersed random video that can be physically verified. (more or less Johnny Mnemonic style). In that way the pollster could watch bugs bunny during the poll, and then go with the machine to the counting site, and then watch bugs bunny again, to verify the data integrity. In that way you could have multiple verifying parties, who themselves would have no requirement for technological competency.

Still a waste of time IMHO. Stuff like "hanging chads" is how you know which states are corrupt. So even if technology can mitigate corruption, it doesn't mitigate the opacity caused by digital abstraction. IOW, it is just as important to know how corrupt you are, as to be less corrupt.

"Secure enough"

For years, whenever we'd point to concerns and problems with e-voting machines, people would argue that it was just conspiracy theories and that these machines were mostly "secure enough."

This completely misses the point. A legitimate democratic election must be understandable by the general public and have their trust. Any system that requires a PhD in security engineering is not suitable, whether or not people with that knowledge say it's safe. (Maybe in 50 years or so, if "everyone" understand the security implications well enough, such systems could be considered.)

wrote in members of the silly party

It is impossible to believe that the Virginia Department of Elections was the first to know about this. So, one must assume that dozens of people, many with much to gain have know about this for years. Those are precisely the kind of people that would use this without qualms. So, take various comforting phrases like "we know of no actual exploits" with a salt mine full of salt, because the odds are highly likely that they have been exploited.

Re:

" take various comforting phrases like "we know of no actual exploits" with a salt mine full of salt"

I would put it a bit more strongly than that: take it as entirely meaningless. The exploits that are possible on these machines are such that they can be accomplished without leaving a trace. So, unless someone were caught in the act, they would not be noticed.

Obvious solution

Store a copyrighted string in the Access database, so that the password "effectively controls access to a protected work." Then stealing the election will be a DMCA violation, and nobody dares commit copyright violation with the DMCA hanging around.